Security threats explained: Hacktivism

In this series, Computerworld Australia examines some of the information security threats facing small businesses and larger enterprises today. We've looked at social engineering and internal negligence and continue the series by speaking to security experts about the problem of hacktivism.

Hacktivism, according to Quest Software, is politically motivated hacking conducted by groups such as Anonymous and LulzSec. For example, in May 2012, Anonymous claimed it had hacked the United States Bureau of Justice Statistics and released 1.7 gigabytes of data including internal emails and database information.

In a statement, the group said it was releasing the data to "spread information, to allow the people to be heard and to know the corruption in their government."

According to IDC Australia senior market analyst, Vern Hue, while some hacktivists were out to prove a political statement, the majority of hacktivists did not have an intended target or cause, and retrospectively justified the hack once they had success infiltrating a website.

"Hacktivists often seek out for vulnerabilities, most often by means of exploiting a Web application vulnerability on a website," he says. "These threats are very real and scary as these attacks have no logical and predictable trend."

Hue added that every organisation, ranging from governments to enterprises, were vulnerable to the attacks.

IBM Australia security systems business unit executive, Jason Burns, says hacktivism is becoming a threat--not only to organisations but individuals as well-- because of the methods used by hacktivists.

"Hacktivists are increasingly resorting to automated password guessing programs, attacks on mobile gadgets and phishing attacks that trick people into downloading viruses or revealing sensitive information," he says. "These attacks pose a serious threat to any organisation."

Sourcefire US vice president of security strategy, Jason Brvenik, likened the hacktivism climate to civilians being the target of warfare.

"Everything and everyone is a target, there are no boundaries and there is no moral code," he says.

Brvenik adds that hacktivism has come to mean criminal use of technology to attack something the hackers don't agree with.

"This hurts ordinary people, damages the perception of the hacktivists, and results in ordinary people being hurt," he says.

Extent of the threat

In order to prove their point, hacktivists are out to either de-face an organisations' webpage or steal valuable data from the server, says IDC's Hue. "Currently, their main form of attack comes in the way of malware and hacking," he says.

"In some cases, hacktivists also launch distributed denial of service [DDoS] attacks in order to bring a webpage down to prove their point."

For the organisation targeted, a DDoS attack would cause a disruption in daily operations and potential financial losses, due to a loss of confidence in the business.

According to IBM's Burns, the attacks can leave a business exposed with sensitive information out in the public domain.

"From an individual perspective, these attacks have a way of manipulating information to make specific individuals look or appear to look bad, when this might not be the case," he says.

Addressing hacktivism

Hacktivism in its proper form is, in theory easily addressed, according to Sourcefire's Brvenik by not making business decisions that challenge the rights of the people.

"This is never as easy as it sounds. As people we make mistakes and don't always see the downstream impacts of our actions," he says.

In addition to designing internal systems that were easily audited and applying appropriate security controls to customer information and intellectual properties, Brvenik added that some adjustments to corporate culture might be needed.

"Develop a corporate culture that values the customer, values their rights, and strives to find the balance between business and people in an acceptable way."

IDC's Hue warns that because anyone can be a target of hacktivists, the best way of addressing hacktivism is to maintain a high level of security fortitude. "The first thing organisations need to do is to perform a network configuration to block the attack by using intrusion detection and prevention systems [IPS]," he says.

According to Hue, the appliances had the ability to detect where the attack is coming from and with the right configuration, automatically block the attack traffic.

"It is also vital that organisations take a proactive step into ensuring that the proper logging is configured in all security devices, so that in the event of an attack, the log data can be examined and handed over to law enforcement agencies," he says.

IBM's Burns says that two areas need to be addressed within organisations to combat possible hacktivism attacks.

The first is to implement a security awareness program. "Education and awareness of security threats throughout any organisation is key to minimising threats and reducing risk," he says. According to Burns, the security policies need to come from C-level executives and be distributed throughout the organisation.

"The policies should also include shareholders and directors of the company, as these attacks can sometimes target individuals," he says.

Once the security policies were in place, the implementation of integrated security products that map back to the policies was essential to reducing the risk of threats.

"All of these elements must be in sync and working together to give organisations a much greater chance of minimising threats," Burns says.